fix: auth logout, Nginx configs, missing dependency, CORS

- auth: logout endpoint now accepts refresh_token (was admin_id which
  frontend can't know) — added logout_by_token() to AuthService
- api.js: sendBeacon uses Blob with application/json content-type
  (was sending text/plain which FastAPI couldn't parse)
- Nginx: fixed SPA fallback to 404 (not SPA), added install.php
  PHP-FPM handler, added production HTTPS config for api.synaglobal.vip
- requirements: added cryptography==44.0.0 (used by crypto.py but
  was missing from requirements.txt)
- models: removed unused Fernet import from domain models
- CORS: added http://api.synaglobal.vip origin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Your Name
2026-05-22 00:30:28 +08:00
parent cd3c35b5e6
commit 56993e4f98
8 changed files with 148 additions and 14 deletions
+14 -5
View File
@@ -50,9 +50,18 @@ server {
proxy_set_header Host $host;
}
# ── Legacy install.php redirect ──
location = /install.php {
return 301 /app/install.html;
# ── install.php (PHP-FPM for installer, root = /web/) ──
location ~ ^/install\.php$ {
root /www/wwwroot/api.synaglobal.vip/web;
fastcgi_pass unix:/tmp/php-cgi-82.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# ── Installer assets (CSS/JS in /web/) ──
location ~ ^/(css|js|vendor)/ {
root /www/wwwroot/api.synaglobal.vip/web;
try_files $uri =404;
}
# ── Static assets ──
@@ -70,9 +79,9 @@ server {
deny all;
}
# ── SPA fallback: all paths → index.html ──
# ── Static HTML pages (no SPA — each page is standalone) ──
location / {
try_files $uri $uri/ /index.html;
try_files $uri $uri/ =404;
}
# ── Logging ──
+111
View File
@@ -0,0 +1,111 @@
# Nexus v6.0 — Nginx Production Config (HTTPS)
# Domain: api.synaglobal.vip (宝塔面板管理)
# Backend: uvicorn 0.0.0.0:8600
# Frontend: /www/wwwroot/api.synaglobal.vip/web/app/ (Tailwind CSS v4 + Alpine.js)
# ── Upstream: Python FastAPI backend ──
upstream nexus_api {
server 127.0.0.1:8600;
keepalive 32;
}
# ── HTTP → HTTPS redirect ──
server {
listen 80;
server_name api.synaglobal.vip;
return 301 https://$host$request_uri;
}
# ── HTTPS ──
server {
listen 443 ssl http2;
server_name api.synaglobal.vip;
# SSL (宝塔面板自动管理证书)
ssl_certificate /www/server/panel/vhost/cert/api.synaglobal.vip/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/api.synaglobal.vip/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Document root = new Tailwind app directory
root /www/wwwroot/api.synaglobal.vip/web/app;
index index.html;
# ── install.php (PHP-FPM for installer, root = /web/) ──
location ~ ^/install\.php$ {
root /www/wwwroot/api.synaglobal.vip/web;
fastcgi_pass unix:/tmp/php-cgi-82.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# ── Installer assets (CSS/JS in /web/) ──
location ~ ^/(css|js|vendor)/ {
root /www/wwwroot/api.synaglobal.vip/web;
try_files $uri =404;
}
# ── Python API proxy ──
location /api/ {
proxy_pass http://nexus_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
proxy_connect_timeout 10s;
}
# ── WebSocket proxy (alerts + WebSSH terminal) ──
location /ws/ {
proxy_pass http://nexus_api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
# ── Health endpoint ──
location /health {
proxy_pass http://nexus_api;
proxy_set_header Host $host;
}
# ── Static assets (cache aggressively) ──
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 7d;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
# ── Deny sensitive files ──
location ~ /\. {
deny all;
}
location ~ /data/config\.php$ {
deny all;
}
# ── Static HTML pages (no SPA — each page is standalone) ──
location / {
try_files $uri $uri/ =404;
}
# ── Logging ──
access_log /www/wwwlogs/api.synaglobal.vip.log;
error_log /www/wwwlogs/api.synaglobal.vip.error.log;
# ── Upload limit ──
client_max_body_size 100m;
}
+1
View File
@@ -18,6 +18,7 @@ paramiko==3.5.0
asyncssh==2.17.0
PyJWT==2.10.1
bcrypt==4.2.1
cryptography==44.0.0
pyyaml==6.0.2
rich==13.9.4
redis[hiredis]==5.2.1
+5 -2
View File
@@ -29,7 +29,7 @@ class RefreshRequest(BaseModel):
class LogoutRequest(BaseModel):
admin_id: int
refresh_token: Optional[str] = None
class TotpSetupRequest(BaseModel):
@@ -85,7 +85,10 @@ async def logout(
service: AuthService = Depends(get_auth_service),
):
"""Invalidate refresh token (client should also discard access token)"""
result = await service.logout(payload.admin_id)
if payload.refresh_token:
result = await service.logout_by_token(payload.refresh_token)
else:
return {"success": True, "message": "已登出"}
return result
+11 -1
View File
@@ -148,7 +148,7 @@ class AuthService:
return admin
async def logout(self, admin_id: int) -> dict:
"""Invalidate refresh token"""
"""Invalidate refresh token by admin ID"""
admin = await self.admin_repo.get_by_id(admin_id)
if admin:
admin.jwt_refresh_token = None
@@ -156,6 +156,16 @@ class AuthService:
await self.admin_repo.update(admin)
return {"success": True, "message": "已登出"}
async def logout_by_token(self, refresh_token: str) -> dict:
"""Invalidate refresh token by token value (used by frontend logout)"""
admin = await self.admin_repo.get_by_refresh_token(refresh_token)
if admin:
admin.jwt_refresh_token = None
admin.jwt_token_expires = None
await self.admin_repo.update(admin)
await self._audit("logout", "admin", admin.id, f"Logout: {admin.username}")
return {"success": True, "message": "已登出"}
async def setup_totp(self, admin_id: int) -> dict:
"""Generate TOTP secret for an admin user (before enabling)"""
import base64
-2
View File
@@ -13,8 +13,6 @@ from sqlalchemy import (
)
from sqlalchemy.orm import declarative_base, relationship
from cryptography.fernet import Fernet
Base = declarative_base()
+2 -1
View File
@@ -171,8 +171,9 @@ app.add_middleware(DbSessionMiddleware)
app.add_middleware(
CORSMiddleware,
allow_origins=[
"http://172.31.170.47", # WSL development
"https://api.synaglobal.vip", # Production HTTPS
"http://api.synaglobal.vip", # Production HTTP (redirects to HTTPS)
"http://172.31.170.47", # WSL development
"http://localhost:8600", # Local dev
],
allow_credentials=True,
+4 -3
View File
@@ -88,10 +88,11 @@ function doLogout() {
const { access, refresh } = _getTokens();
if (access) {
try {
navigator.sendBeacon(
API + '/auth/logout',
JSON.stringify({ refresh_token: refresh })
const blob = new Blob(
[JSON.stringify({ refresh_token: refresh })],
{ type: 'application/json' }
);
navigator.sendBeacon(API + '/auth/logout', blob);
} catch {}
}
_logout();